Pages

24 April 2019

Using Security to Enable, Rather Than Block, Business

By Scott Stewart

Avoiding all risk is the best way to stay safe, but a risk avoidance model of corporate security can be at odds with a company's business goals. Instead, they must develop security programs that help employees understand, anticipate and mitigate risks. 
This type of program enables businesses to operate despite risks and remain resilient in the face of adversity.  I recently received a call from a friend who had some security questions about Mexico. As a company security director, he wanted to know if it was safe for employees in his charge to travel on a particular stretch of highway. The Stratfor Threat Lens team frequently fields queries like this, and we duly discussed the cartel dynamics in the area and some ways employees could mitigate the threats along that route.

But then my friend made a comment that really resonated with me: "You know, if we strictly followed the U.S. government's travel advice, we'd never be able to operate in Mexico." He's right, and he's not alone.

The Big Picture

The world is inherently full of risk. In fact, there is some degree of risk associated with everything we do — or don't. Fortune may indeed favor the bold, but only if the bold understand the risks they are about to encounter and take steps to mitigate them.

A number of U.S.-based companies and organizations operate in Colima, Guerrero, Michoacan, Sinaloa and Tamaulipas — the five Mexican states subject to a "Level 4: Do Not Travel" warning from the U.S. government. Mexico's two biggest ports, Lazaro Cardenas and Manzanillo, are in Michoacan and Colima, respectively, and billions of dollars of commerce flows through them every year. Likewise, Mexico's busiest commercial border crossing with the United States is Nuevo Laredo, a city in Tamaulipas that handles approximately half of all trade-related traffic — totaling about $500 million worth of goods per day — between the two countries. It's clear that if companies strictly followed the U.S. government's travel advice for Mexico and suspended all operations in these states, they would lose out on billions of dollars of business.

But that's not meant to be a criticism of the U.S. State Department, which compiles and publishes travel advisories. The department isn't concocting the listings out of thin air; there are indeed risks to operating in Mexico, or any other country, for that matter. The State Department's travel advisories merely reflect the body's primary objective: keeping U.S. citizens safe from harm, a goal it pursues through risk avoidance.
The Problems of Total Risk Avoidance

Ultimately, risk avoidance is a fine operational principle to use in guiding travel advisories, but it's simply untenable for many businesses and nongovernmental organizations, whose business models and missions compel them to operate in areas where they will encounter at least some risk. For these entities, it's critical that they understand and anticipate risks, monitor threats, and take steps to mitigate the impact that those risks and threats have on business operations.

Some security officers who transition from backgrounds in the military or government to the private sector struggle when they attempt to adopt a risk avoidance model. They quickly become (or are at least perceived to be) obstacles to business rather than enablers, meaning they generally do not last in the position long. Of course, the flip side of the coin is no better — if not worse — as ignoring risk frequently results in disaster. Indeed, we all too regularly see on the nightly news the tragic consequences of what happens when risks are routinely ignored.

Risk avoidance is a fine operational principle to use in guiding travel advisories, but it's simply untenable for many businesses and nongovernmental organizations.

But there is an appropriate alternative to those extremes: a prudent security program that understands and anticipates risks, as well as takes steps to mitigate their potential effect on operations. This approach enables operations to succeed despite risk and remain resilient in the face of adversity.
Thriving Despite the Threats

Risk is inherent in everything we do — or don't do. Obviously, however, some activities are riskier than others. Companies and organizations must develop a way to think about risk that begins with understanding their mission and clearly outlines the degree of risk they are willing to tolerate. Naturally, some organizations and companies are, by their very nature, more likely to operate in risky areas, such as NGOs that work with refugees near war zones or resource extraction companies with operations in hostile or remote locations. But no matter the primary mission, everyone in a company, from leaders to workers in the field, must understand the risks their organization is willing to take to achieve its goals.

Once an organization determines its risk tolerance, it can focus on understanding global risks and learning the specific risks associated with locations in which it operates (or wishes to) and measure these threats against its level of risk tolerance. By creating forecasts of geopolitical and tactical trends, companies and organizations can anticipate emerging risks. And by tracking these trends and dynamics, they can maintain a situational awareness of existing threats and problems. Understanding risks can also guide decisions whether to expand or draw down operations, which is necessary if one wishes to craft solid contingency plans and establish parameters by which the plans are triggered. Of course, the geopolitical and security analysis provided by Stratfor can be a tool to help on this front, but obviously, it is not the only source of relevant information.

But beyond contingency plans, a company can help keep its workforce and facilities safe even in areas of heightened risk by establishing sound security policies, plans and procedures. In some areas, however, the expense of security measures means the company must balance prudent precautions against the bottom line.

More often than not, resiliency translates into success in terms of an organization's mission.

In addition to gates, guns and guards, one of the important ways that security programs can mitigate risk is to teach employees what they are facing before they enter the field, especially in areas prone to criminal or militant activity or civil unrest. Effective training will help employees understand the dangers they may encounter, spot threats as they develop and know actions to take in response. Teaching such topics as situational awareness, the attack cycle, surveillance detection and tactical driving and first aid skills provides employees with a robust toolkit that can help them recognize and respond to dangerous situations. And if trained field personnel communicate and coordinate with a well-informed security team back at headquarters, it can create a powerful synergy that lessens the effect that threats have on an organization's employees and operations. 

This combination can also foster resiliency at difficult times. A natural disaster, coup, civil disturbance or a significant criminal or terrorist attack will leave an indelible mark on a city or country, as well as the companies and organizations working there. However, a well-trained country team that has developed tried and tested contingency plans will be in a far better position to ride out the crisis, evacuate its personnel or resume operations than a team that has not received adequate training. And, more often than not, that resiliency translates into success in terms of the organization's mission.

Avoiding all risk will keep a business safe, although perhaps not in business for long. The key, instead, is mitigating risk. By helping companies and organizations understand, anticipate and cut down on risk, security programs can become enablers — rather than roadblocks — to a business' success.

No comments:

Post a Comment